Table of Contents
Data privacy laws change every year and the requirements to comply with them get stricter and more stringent.
What’s common among these regulations is the timely and precise communication of how your business handles and processes personal data.
Again, regardless of whether you ever have a legitamite customer from another jurisdiction, if you’re receiving web traffic from those locales (and collecting data on those individuals), you’re now legally liable for following the privacy regulations from that region. For example, if you receive traffic from Spain, you’re now bound to uphold data protections regulations outlined by the European Union under both the GDPR and the E-Privacy Directive.
Cookie banners pop up when you first visit a website, asking users if they agree to their use. A cookie manager can then record their responses and help users opt-out. Privacy policies, on the other hand, are usually only displayed when the user initiates an action on the website — such as signing up for a newsletter or completing a purchase.
Yes, privacy polices are a legal requirement under several data privacy laws. The GDPR, CCPA, LGPD, and PoPIA all necessitate businesses to disclose how they store and handle user data.
The GDPR article 4 defines personal data and provides a framework for businesses for how to handle, store, and delete said data when requested. The CCPA, with its sister legislation the CPRA, does the same by necessitating that businesses disclose how they collect and store data.
1. An introduction
2. Personal data collection and use
- Phone numbers
- Mailing address
- Credit card details
- Email address
3. Personal data retention and deletion
4. Children’s data (if relevant)
5. How changes will be communicated
Privacy polices are never a static document. They can (and should) be updated for a myriad of reasons:
- New privacy laws in your country
- As your business grows
- When you add new products and services
6. How to make a complaint
All privacy policies must also outline clearly how customers can make a complaint if they feel that their privacy conditions have not been met. In some cases, companies may have a privacy ombudsman that handles these matters. A data compliance offer is also a mandatory requirement under the GPDR, albeit loosely enforced.
Information here can include mailing addresses, phone numbers, email addresses, and online form submissions — giving users the option to choose from whatever is convenient to their needs.
7. Rights of Users
Here are some things you may want to inform them about:
- The right to their information
- The right to rectify personal details
- The right to prevent data from being shared
- The right to delete their data
- The right to speak with a supervisor, if requested
We definitely don’t recommend copy and pasting this template. Please take a look through it and adapt it to your business. Add your name, address, product & service information, and other key details that are relevant to your operations.
Fines for Non-Compliant Privacy Policies
GDPR: A failure to comply with GDPR means you can face fines of $20 million or up to 4% of your company's global annual turnover (whatever is higher).
PIPEDA: The maximum possible fine under PIPEDA, the Canadian privacy law, is $100,000.
CPRA: You can be fined up to $7,500 for each CPRA violation and an additional $2,500 for an accidental breach.
It is important to comply with privacy laws around the world to avoid serious financial penalties and damage to your company's reputation.
Further Reading about Privacy Policies:
- Benefits of data privacy
Privacy policies are critical, but it’s understandable that you might have some questions. Check out these frequently asked questions or reach out to us if you have a question not covered below.
Yes, you are. If there’s a chance that you might receive web traffic from consumers in jurisdictions that have privacy laws, you need to explicitly outline what user data you’re collecting, how it’s being used or shared, and how it will be disposed of. Additionally, many jurisdictions like California and the EU require that you give their citizens clear access to view the data that’s been collected, refuse for it to be shared, or request that you delete it.
If you’re feeling lucky and optimistic that their policy will completely match with your intentions, sure you could. But this can be dangerous for a few reasons. First, if the policy you’re copying isn’t even close to being compliant, you’re starting from a losing position. And as we’ve stated several times, if you’re caught being noncompliant, it’s the most expensive lesson you’ll ever learn.
Aren’t privacy policies expensive?
Osman is the content lead at Enzuzo. He has a background in data privacy management via a two-year role at ExpressVPN and extensive freelance work with cybersecurity and blockchain companies. Osman also holds an MBA from the Toronto Metropolitan University.